tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Crowther" <>
Subject RE: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 16:53:52 GMT
> From: Christopher Schultz [] 
> I would argue that Apache httpd is quite mature and is trustworthy.
> Sure, you're not likely to run into a buffer overflow bug in 
> Tomcat, but
> a bad configuration can open any server to attack. Is a bad Tomcat
> configuration alone any better than a bad Tomcat configuration sitting
> behind Apache httpd?

Depends on the quality of the httpd configuration, which is then another
thing for a new administrator (presumably the person this document is
aimed at) to get wrong, or at least not completely right.  Setting up
the httpd->jk->Tomcat link is also somewhat ticklish, and debug steps
taken during this process (which may grant wider access than required in
order to eliminate security concerns from the list of possibilities) may
not always be reversed, leaving holes in the final system.

For myself, I'd rather configure a good firewall in front of Tomcat than
use httpd solely for the purpose of security.  That's using a tool for a
purpose for which it was not designed.

		- Peter

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message